- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Tuesday
Thank you @Louis_Frolio — this is exactly the clarity I was looking for. Your explanation of how UC's session policy generates arn:aws:s3:::bucket/prefix/* while Access Points require the arn:aws:s3:<region>:<acct>:accesspoint/<name>/object/<prefix>/* namespace confirms the root cause we couldn't verify without internal context.
A few follow-ups:
1. Feature request filed: I've opened a case with our Databricks account team referencing this thread and the repro evidence. Hopefully it helps prioritize.
2. Incremental staging: Your DataSync → Auto Loader suggestion is what we're running now. For others reading: ONTAP FPolicy (file event notification) → SQS → Lambda can also trigger incremental ingestion without full-directory scans — useful when the source has millions of files but few changes per hour.
3. OpenSharing path: One adjacent development — OpenSharing (announced at DAIS as the Delta Sharing evolution under the Linux Foundation) defines a credential vending model where the server issues scoped STS credentials directly. The recipient calls standard S3 APIs with those credentials, which operates independently of UC's credential vending path. I validated reads against the same FSx S3 AP via this pattern. Note that this is read-only and outside UC governance, but for cross-platform sharing it may complement the UC path until native support arrives. Details in the repo linked above.
Thanks again for confirming this is a product gap, not misconfiguration. That helps us architect the right workarounds.